From updates-admin@ximian.com  Wed Aug  7 09:20:49 2002
Return-Path: <updates-admin@ximian.com>
Delivered-To: yyyy@localhost.netnoteinc.com
Received: from localhost (localhost [127.0.0.1])
	by phobos.labs.netnoteinc.com (Postfix) with ESMTP id 17FC7440C9
	for <jm@localhost>; Wed,  7 Aug 2002 04:20:46 -0400 (EDT)
Received: from phobos [127.0.0.1]
	by localhost with IMAP (fetchmail-5.9.0)
	for jm@localhost (single-drop); Wed, 07 Aug 2002 09:20:46 +0100 (IST)
Received: from trna.ximian.com (trna.ximian.com [141.154.95.22]) by
    dogma.slashnull.org (8.11.6/8.11.6) with ESMTP id g778IYk17098;
    Wed, 7 Aug 2002 09:18:35 +0100
Received: from trna.ximian.com (localhost [127.0.0.1]) by trna.ximian.com
    (8.11.6/8.11.6) with ESMTP id g76Lbr300332; Tue, 6 Aug 2002 17:37:53 -0400
Received: from peabody.ximian.com (peabody.ximian.com [141.154.95.10]) by
    trna.ximian.com (8.11.6/8.11.6) with ESMTP id g76L6C326852 for
    <updates@ximian.com>; Tue, 6 Aug 2002 17:06:12 -0400
Date: Tue, 6 Aug 2002 17:06:12 -0400
Message-Id: <200208062106.g76L6C326852@trna.ximian.com>
Received: (qmail 18772 invoked from network); 6 Aug 2002 21:06:29 -0000
Received: from localhost (127.0.0.1) by localhost with SMTP;
    6 Aug 2002 21:06:29 -0000
From: Ximian GNOME Security Team <distribution@ximian.com>
To: Ximian Updates <updates@ximian.com>
Subject: [Ximian Updates] libpng has a potential buffer overflow when loading progressive images
Sender: updates-admin@ximian.com
Errors-To: updates-admin@ximian.com
X-Mailman-Version: 1.1
Precedence: bulk
List-Id: Announcements about updates to the Ximian GNOME distribution.
    <updates.ximian.com>
X-Beenthere: updates@ximian.com

Severity: Security
Product: libpng
Keywords: Red Carpet libpng buffer overflow
URL: http://support.ximian.com/q?283
References: 
Release Notes for libpng 
ftp://swrinde.nde.swri.edu/pub/png-group/archives/png-list.200207

libpng is a library used to create and manipulate PNG (Portable
Network Graphics) image files.

The 1.2.4* and 1.0.14 releases of libpng solve a potential buffer
overflow vulnerability[1] in some functions related to progressive
image loading. Programs such as mozilla and various others use these
functions. An attacker could exploit this to remotely run arbitrary
code or crash an application by using a specially crafted png image.

These new releases also solve other minor bugs such as some memory
leaks in reading image functions.

Since most applications which display images use libpng, this affects
many applications including Evolution and Mozilla. Additionally, Red
Carpet links libpng statically and needs to be updated separately.

Ximian only ships libpng on Solaris, and so we only have Solaris
packages available. When distribution vendors update their packages,
they will be available in Red Carpet. Please use Red Carpet to upgrade
libpng to 1.0.14 and Red Carpet 1.3.4-2. You can also get packages
from the Ximian FTP site:

Solaris 7/8
ftp://ftp.ximian.com/pub/ximian-gnome/solaris-7-sun4/libpng-1.0.14-1.ximian.1.sparc.rpm
ftp://ftp.ximian.com/pub/ximian-gnome/solaris-7-sun4/libpng-devel-1.0.14-1.ximian.1.sparc.rpm
ftp://ftp.ximian.com/pub/ximian-gnome/solaris-7-sun4/red-carpet-1.3.4-2.ximian.1.sparc.rpm



_______________________________________________
updates maillist  -  updates@ximian.com
http://lists.ximian.com/mailman/listinfo/updates
Please DO NOT reply to this list!  Use bugs@helixcode.com or hello@helixcode.com instead.


